b'              U.S. Department of Energy\n              Office of Inspector General\n              Office of Inspections and Special Inquiries\n\n\n\n\nInspection Report\n\n\nInternal Controls Over the Accountability\nof Computers at Sandia National\nLaboratory, New Mexico\n\n\n\n\nDOE/IG-0660                                            August 2004\n\x0c\x0cThis inspection complements similar work performed by the Office of Inspector General at\nseveral other DOE sites.\n\nMANAGEMENT REACTION\n\nManagement concurred with our recommendations and has taken or initiated corrective actions.\nManagement\xe2\x80\x99s comments are provided in their entirety in Appendix B of the report.\n\nWe found management\xe2\x80\x99s comments to be responsive to our report.\n\nAttachment\n\ncc: Deputy Secretary\n    Administrator, National Nuclear Security Administration\n    Under Secretary for Energy, Science and Environment\n    Director, Office of Security and Safety Performance Assurance\n    Director, Policy and Internal Controls Management\n    Director, Office of Program Liaison and Financial Analysis\n\x0cINTERNAL CONTROLS OVER THE ACCOUNTABILITY OF\nCOMPUTERS AT SANDIA NATIONAL LABORATORY, NEW\nMEXICO\n\nTABLE OF\nCONTENTS\n\n              OVERVIEW\n\n              Introduction and Objective         1\n\n              Observations and Conclusions       2\n\n\n              DETAILS OF FINDINGS\n\n              Nonaccredited Peripheral Devices   3\n\n              Property Management Controls       3\n\n              Other Property Management Issues   4\n\n\n              RECOMMENDATIONS                    5\n\n\n              MANAGEMENT COMMENTS                6\n\n\n              INSPECTOR COMMENTS                 6\n\n\n              APPENDICES\n\n              A. Scope and Methodology           7\n\n              B. Management Comments             8\n\x0cOverview\n\nINTRODUCTION    Computers are used extensively in the full range of operations at\nAND OBJECTIVE   Sandia National Laboratory (Sandia), Albuquerque, New Mexico, to\n                include the processing of classified information. Sandia reported an\n                inventory of over 5,400 laptop and 23,800 desktop computers at the\n                end of Fiscal Year 2002. Department of Energy (DOE) and Sandia\n                property policies identify computers as \xe2\x80\x9csensitive property,\xe2\x80\x9d due in\n                part to their susceptibility to theft and potential for conversion to\n                cash. As such, we believe that management controls over computers\n                throughout the DOE complex must remain robust and consistent.\n                Therefore, we initiated an inspection of Sandia\xe2\x80\x99s management\n                controls over computers. Specifically, the objective of this\n                inspection was to determine the adequacy of internal controls over\n                desktop and laptop computers at Sandia.\n\n                This inspection complements similar work performed by the Office\n                of Inspector General at various DOE sites, the results of which\n                may be found in the following reports: \xe2\x80\x9cInterim Inspection Report\n                on Inspection of Internal Controls Over Personal Computers at Los\n                Alamos National Laboratory\xe2\x80\x9d (DOE/IG-0597, April 2003);\n                \xe2\x80\x9cInternal Controls Over Laptop and Desktop Computers at the\n                Savannah River Site\xe2\x80\x9d (INS-L-03-09, July 29, 2003); \xe2\x80\x9cInternal\n                Controls Over Classified Computers and Classified Removable\n                Media at the Lawrence Livermore National Laboratory\xe2\x80\x9d\n                (DOE/IG-0628, December 2003); \xe2\x80\x9cManagement of Sensitive\n                Equipment at Selected Locations\xe2\x80\x9d (DOE/IG-0606, June 2003); and\n                \xe2\x80\x9cInternal Controls Over Personal Computers at Los Alamos\n                National Laboratory\xe2\x80\x9d (DOE/IG-0656, August 2004).\n\n\n\n\nPage 1                             Internal Controls Over the Accountability of\n                                   Computers at Sandia National Laboratory,\n                                   New Mexico\n\x0cOBSERVATIONS      We concluded that internal controls over classified and\nAND CONCLUSIONS   unclassified desktop, laptop, and related computer equipment at\n                  Sandia could be improved. We identified internal control\n                  weaknesses that undermine confidence in Sandia\xe2\x80\x99s ability to assure\n                  that laptop, desktop, and related computer equipment is\n                  appropriately controlled and adequately safeguarded from loss or\n                  theft and that classified computer use meets security standards.\n                  Specifically, we found that Sandia:\n\n                  \xe2\x80\xa2   Used computer peripherals for classified processing without\n                      appropriate accreditation;\n\n                  \xe2\x80\xa2   Had no property controls for computers with a purchase price\n                      below $1,000, to include computer peripherals connected to\n                      classified systems, which could weaken the accountability and\n                      control of sensitive and classified information; and\n\n                  \xe2\x80\xa2   Had not effectively implemented property management\n                      controls for computers built in-house or procured with\n                      purchase cards.\n\n\n\n\nPage 2                                           Observations and Conclusions\n\x0cDetails of Findings\n\nNONACCREDITED                       Sandia used computer peripherals for classified processing\nPERIPHERAL                          without appropriate accreditation. Computer peripherals include\nDEVICES                             personal digital assistants (PDAs) and personal electronic devices\n                                    (PEDs). In at least two instances, computer peripherals were\n                                    connected to a classified system without appropriate accreditation.\n\n                                    Accreditation, which is required by DOE M 471.2-2, \xe2\x80\x9cClassified\n                                    Information Systems Security Manual,\xe2\x80\x9d is the authorization by a\n                                    designated approval authority that a computer can be used to\n                                    process classified information in a specific environment, based on\n                                    the computer meeting pre-specified technical requirements for\n                                    achieving adequate data security. All systems are to be reviewed\n                                    and accredited before they become operational to ensure the\n                                    appropriate level of confidentiality, availability, and integrity of\n                                    classified information to be processed on the systems. The use of\n                                    PDAs/PEDs to process classified information before they are\n                                    accredited violates DOE requirements designed to ensure that\n                                    national security interests are protected.\n\n                                    Sandia computer security personnel told us at the time of our\n                                    on-site inspection that no accreditation paperwork had been\n                                    prepared for the PDAs/PEDs, but that they would take action to\n                                    correct this condition. Subsequent to this discussion, Sandia\n                                    officials took corrective action and provided the Office of\n                                    Inspector General with the appropriate accreditation\n                                    documentation.\n\nPROPERTY                            Sandia had no property controls for computers and computer\nMANAGEMENT                          peripherals with a purchase price below $1,000, to include those\nCONTROLS                            accredited for classified processing. As such, the accountability\n                                    and control over sensitive and classified information at Sandia is\n                                    affected. Specifically, in August 1996, DOE authorized Sandia to\n                                    eliminate property management controls on sensitive items1 with a\n                                    purchase price below $1,000. Subsequently, computers and\n                                    computer peripherals with a purchase price below $1,000 were not\n                                    assigned property numbers and were not tracked in Sandia\xe2\x80\x99s\n                                    property inventory.\n\n                                    The authorization to eliminate property management controls\n                                    excluded those items \xe2\x80\x9cwhere the primary determinant of their\n                                    designation as sensitive property was based solely on the type of\n\n1\n  The Code of Federal Regulations (CFR), 41 CFR 109, defines \xe2\x80\x9csensitive items\xe2\x80\x9d as those items of personal\nproperty that are considered to be susceptible to being appropriated for personal use or that can be readily converted\nto cash. Examples include firearms, computers, cameras, and portable tools.\n\n\n\nPage 3                                                                                       Details of Findings\n\x0c                          item,\xe2\x80\x9d such as \xe2\x80\x9cfirearms, notebook computers, and cell phones.\xe2\x80\x9d\n                          We determined that Sandia eliminated property management\n                          controls on all computers with a purchase price below $1,000,\n                          which we believe circumvents the intent of DOE guidelines, and\n                          created a property management control system different than other\n                          comparable DOE sites.\n\n                          Then, in April 1998, DOE authorized Sandia to eliminate property\n                          management controls on sensitive items that exceed their service\n                          life. This authorization was based on a Sandia cost/benefit\n                          analysis that showed an anticipated annual cost avoidance of\n                          $311,743 if sensitive item property control requirements were\n                          relaxed. The cost/benefit analysis stated that \xe2\x80\x9ccurrent\xe2\x80\x9d losses due\n                          to shortage and theft amounted to only $12,736 annually for\n                          sensitive items.\n\n                          However, these authorizations may no longer be relevant given the\n                          substantial changes in computing technology since 1996 and the\n                          corresponding increase in computer security concerns. Since\n                          1996, the power and memory of computers has dramatically\n                          increased, while their cost has significantly decreased. In addition,\n                          new and inexpensive devices, such as computer peripherals, have\n                          been created that have the ability to store large amounts of\n                          classified and unclassified information. By not tracking computers\n                          and computer peripherals with an acquisition cost below $1,000, or\n                          that have exceeded their service life, Sandia is unable to report the\n                          loss or theft of such equipment or to conduct appropriate inquiries\n                          to determine the disposition of sensitive or classified information\n                          when the equipment cannot be located.\n\nOTHER PROPERTY    Sandia had not effectively implemented property management\nMANAGEMENT ISSUES controls for computers built in-house or procured with purchase\n                  cards. We determined that Sandia personnel built at least two\n                  computers in-house from parts obtained through purchase card\n                  acquisitions and used these computers for classified processing.\n                  Although these computers were accredited, they were never\n                  assigned a Sandia property number and were not tracked in the\n                  Sandia property inventory.\n\n                          Under Sandia\xe2\x80\x99s property management policy, sensitive property\n                          that is assembled from parts with an acquisition cost less than\n                          $1,000 must be assigned a property number tag and must be\n                          tracked in Sandia\xe2\x80\x99s Fixed Assets Database when the value of the\n                          assembled item is $1,000 or greater. However, in the case of the\n                          two computers that were built in-house, we determined that Sandia\n\n\nPage 4                                                                    Details of Findings\n\x0c                  made no assessment of the value of these computers after assembly\n                  to justify not tracking them in the Sandia Fixed Assets Database.\n                  The computers subsequently were placed into service and\n                  processed classified information without property controls. While\n                  we were not able to identify the actual cost of the parts used to\n                  assemble these computers, we believe the value of the assembled\n                  items was in excess of $1,000.\n\n                  In addition, contrary to policy, Sandia continues to allow the\n                  acquisition of computers through the use of purchase cards.\n                  Sandia purchase card policy developed in 1997 prohibited the use\n                  of purchase cards for the acquisition of computers with a cost of\n                  $1,000 or more. However, for example, between May 2000 and\n                  March 2003, Sandia authorized 32 one-time exceptions and 18\n                  blanket exceptions to this policy.\n\n                  In March 2003, Sandia revised its policy to prohibit the use of\n                  purchase cards for the acquisition of desktop and laptop\n                  computers, regardless of cost. The policy states that purchase card\n                  procurements of property, to include computers, would only be\n                  authorized in exceptional circumstances (i.e., there was no other\n                  procurement mechanism available or it was a mission critical\n                  purchase with proper authorization). However, since this policy\n                  went into effect, Sandia has authorized 11 one-time exceptions and\n                  1 blanket exception.\n\nRECOMMENDATIONS   We recommend that the Manager, Sandia Site Office, take\n                  appropriate action to ensure that:\n\n                  1. All computing devices connected to classified systems at\n                     Sandia are accredited according to DOE policy prior to\n                     classified processing.\n\n                  2. The authorization to eliminate property management controls\n                     for sensitive property with an acquisition value under $1,000 at\n                     Sandia is re-evaluated.\n\n                  3. All computers constructed by Sandia are assessed to determine\n                     their value after assembly, and property numbers are assigned\n                     in accordance with property management thresholds.\n\n                  4. Sandia re-evaluates the exception process for using purchase\n                     cards to acquire computers.\n\n\n\n\nPage 5                                                          Recommendations\n\x0c             5. The issues raised in this report are considered in the next Site\n                Office evaluation of Sandia\xe2\x80\x99s property management\n                performance measures.\n\nMANAGEMENT   In comments on our draft report, management concurred with our\nCOMMENTS     recommendations and stated that corrective actions have been\n             taken or are underway.\n\nINSPECTOR    We found management\xe2\x80\x99s comments to be responsive to our report.\nCOMMENTS     We note that an attachment to management\xe2\x80\x99s response identified a\n             concern with the number of exceptions to Sandia\xe2\x80\x99s restrictions on\n             using purchase cards to procure computers that we reported. We\n             clarified the language in this section of the report and confirmed\n             the accuracy of the revised language with Sandia staff.\n\n\n\n\nPage 6                               Management and Inspector Comments\n\x0cAppendix A\n\nSCOPE AND     We conducted the fieldwork portion of our review from\nMETHODOLOGY   December 2002 to April 2004. Our review included interviews\n              with DOE officials from the National Nuclear Security\n              Administration Service Center and the Sandia Site Office, officials\n              from Sandia Property and Computer Security Divisions, and\n              subcontractor employees. We also reviewed applicable policies\n              and procedures regarding property management.\n\n              Also, pursuant to the \xe2\x80\x9cGovernment Performance and Results Act\n              of 1993,\xe2\x80\x9d we reviewed Sandia\xe2\x80\x99s performance measurement\n              processes as they relate to management controls over personal\n              property.\n\n              This inspection was conducted in accordance with the \xe2\x80\x9cQuality\n              Standards for Inspections\xe2\x80\x9d issued by the President\xe2\x80\x99s Council on\n              Integrity and Efficiency.\n\n\n\n\nPage 7                                                Scope and Methodology\n\x0cAppendix B\n\n\n\n\nPage 8       Management Comments\n\x0cPage 9   Management Comments\n\x0cPage 10   Management Comments\n\x0cPage 11   Management Comments\n\x0c\x0c                                                                    IG Report No. DOE/IG-0660\n\n                           CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\xe2\x80\x99 requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\xe2\x80\x99s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                        http://www.ig.doe.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c'